This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

How to secure a Web Service with ACEGI

Sep 9th, 2005, 06:54 PM

Our project is not to the point where we have to implement a Web Service but I think it's good time to start asking questions. Does acegi offer something to secure WS'es or is one forced to use the industry standars (does that mean CAS only?). Any real world examples or links would be really usefull. Thanks

1. Protecting the web services endpoint URLs, such as /ws/** with a ROLE_WEB_SERVICE or similar. This ensures that only authorized principals can invoke the web service. Generally BASIC authentication is used with the web service (as nearly all web services support BASIC authentication out-of-the-box, and indeed implementing it a BASIC authentication client from scratch is a very simple exercise).

2. Protecting individual methods on the service layer that the web services act as a facade to. So, your FooManager.create() method is accessible by the FooManagerHttpInvoker web service. You can elect to have very little security at the web request level (ie protecting /ws/FooManagerHttpInvoker**), and instead rely on MethodSecurityInterceptor to protect FooManager.create=ROLE_FOO_CREATION. Any AuthorizationExceptions are therefore transported back to the client, which is more informative than a 403 error (SC_FORBIDDEN).